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Abstract. The internal state of the Klimov-Shamir number gen- 
erator TF-1 consists of four words of size w bits each, whereas its 
intended strength is 2 2w . We exploit an asymmetry in its out- 
put function to show that the internal state can be recovered after 
having 2 W outputs, using 2 1 - 5w operations. For w — 32 the at- 
tack is practical, but for their recommended w = 64 it is only of 
theoretical interest. 



1. Generalized TF-1 generators 



The Klimov-Shamir number generator TF-1 was introduced in [3] 
and is based on the methods developed in [2] and references therein. 
This is an iterative pseudorandom number generator. Its internal state 
consists of four words a,b,c,d, of size w bits each. G^C^C^C are 
fixed constants chosen to optimize several properties (which are not 
relevant for our analysis). The update function of the generator is 
defined as follows!]] 
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where 



s = (C + (a A b A c A d)) © (a A b A c A d). 
After each update, an output value 

S(a + c)-(S(b + d)Vl) 

is extracted, where S is the function swapping the upper and lower 
halves of its input, i.e., S(x) = x/2 w ^ 2 +x-2 w ^ 2 for each x 
where "/" denotes integer division. 
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1 In the following description, A, V, © denote bitwise logical and, or, and xor, 
respectively, and addition and multiplication are always carried modulo 2 W . 
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Earlier variants of this generator were cryptanalyzed in several works, 
see for example [H [T] . None of the earlier attacks applies to the present 
generator, though, since the present output function is more compli- 
cated. We will present an attack on a generalized family of TF-1 gen- 
erators, containing the Klimov-Shamir generator as a particular case. 

Definition 1 (Klimov-Shamir gj). T : {0, l} mxw -> {0, l} nxw is a T- 
function if, for each k — 1, . . . , w, the first k columns of T(X) depend 
only on the first k columns of X. 

Note that, using the convention that words from {0, 1} W are writ- 
ten such that the leftmost bit is the least significant one, the update 
function of a TF-1 generator is a T-function. 

Following is a generalization of the family of TF-1 generators. The 
fact that we pose no restriction on its function F (and still are able to 
cryptanalyze it as shown below) seems to be of special interest. 

Definition 2. A generalized TF-1 generator consists of an update 
function T\ : {0, \y 4xw {0, l} 4xw an d output auxiliary functions 
T 2 ,F : {0, 1} 4XW -> {0,1}™ Ti and T 2 are T-functions, but F can 
be any efficiently computable function. Its internal state is a matrix 
A e {0, l} 4xiu , The update function is 

A ^ Ti(A). 

After each update, an output value 

S(T 2 (A)).(F(A)V1) 

is extracted. 

2. Cryptanalysis 

Generators with poor statistical properties are not suitable for cryp- 
tographic usage. We therefore restrict attention to the nondegenerate 
cases. 

Lemma 3. Assume that T : {0, l} 4xu ' — > {0, 1} W is a (mildly) random- 
looking T-function, k,l G {1, . . . ,w} , and I < k. If the first I — 1 
columns of X are known and T(X) = 0, then the list of all possibil- 
ities for columns I, . . . ,k of X can be enumerated in (roughly) 2 3 ^ fc ~^ 
operations. 

Proof. First check all 2 4 possibilities for the Ith column of X. Only 
about 2 3 should give at the /th bit of T(A). For each of them, check 
all 2 4 possibilities for the I + 1th bit. Again about 2 3 of which will 
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survive. Continue in this manner. The total number of operations is 
roughly 

2 4 + 2 3 • 2 4 + (2 3 ) 2 • 2 4 + • • • + (2 3 ) fc ~' -1 • 2 4 « 2 • 2 3(fc "' ) . 

Note that there is no need to store the resulting tree in memory, since 
the search in the tree could be of "depth first" type, i.e., follow each 
branch up to its end before moving to the next branch. □ 

Remark 4. For the function T((a,b,c,dY) = a + c used in TF-1, the 
enumeration as in Lemma [3] is trivial: Just enumerate (a, b, —a, d)* 
where a, b, d G {0, l} fc . Note further that plays no special role in the 
proof of Lemma [3] and it can be replaced by any constant. 

Theorem 5. Assume that G is a generalized TF-1 generator which is 
(mildly) random-looking. Then the internal state of G can be recovered 
from roughly 2 W output words, using roughly 2 L5u " operations. 

Proof. Scan the output sequence until an output word is found (this 
requires roughly 2 W output words). Denote the internal state at this 
point by A. Then 

S{T 2 (A)) ■ (F{A) V 1) = 0. 

As F(A) V 1 is relatively prime to 2 W , we have that S(T2(A)) = 0, and 
therefore T 2 (A) = 0. 

Use Lemma [3] with I = 1 and k = w/2 + 1 to enumerate the 2 3fc 
possibilities for the first k columns of A. During the enumeration, 
compute for each possibility the first k columns of A' = Ti(A) and of 
T 2 (A'). The kth bit of T 2 (A') should be equal to the least significant 
bit of the next output word. This rules out about half of the suggested 
solutions. Checking about one more step will rule out about half of 
the remaining solutions, etc. Algorithmically, continue updating and 
checking until a contradiction is found (or until a solution survives 
more than 3k steps) and then move to the next suggested solution. On 
average this requires two steps per suggested solution. 

Having completed the above 2 3fc+1 operations, the first k columns 
of A are known. Use Lemma [3] again to go over all possibilities for 
columns k + 1, . . . , w of A. Now there are only 2 3fc_6 possibilities, and 
each of them gives a complete knowledge of the internal state and can 
thus be checked by computation of one or two output words. The total 
amount of operations is roughly 

o3fc+l I o3fc— 6 ^ o3/c+l r^l.5w+A 1 fi . 0^-^ w I — I 
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3. Examples 

Any generalized TF-1 generator for words of 32 bits has an internal 
state of size 128 bits and intended strength 2 64 . By Theorem [5j the 
whole internal state can be recovered from 2 32 output words (i.e., 16 
gigabytes) using 16 ■ 2 L5 ' 32 = 2 52 operations. These parameters are 
practical. 

Any generalized TF-1 generator for words of 64 bits has an internal 
state of size 256 bits and intended strength 2 128 . By Theorem the 
internal state can be recovered from 2 output words using 16 -2 L5 ' 64 = 
2 100 operations. In this setting, our attack is only of theoretical interest. 

Acknowledgments. We thank Alexander Klimov and the referees for 
their comments. 
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